rubygems -- request hijacking vulnerability

Details

VuXML ID

a0089e18-fc9e-11e4-bc58-001e67150279

Discovery

2015-05-14

Entry

2015-05-17

Jonathan Claudius reports:

RubyGems provides the ability of a domain to direct clients to a
separate host that is used to fetch gems and make API calls against.
This mechanism is implemented via DNS, specifically a SRV record
_rubygems._tcp under the original requested domain.

RubyGems did not validate the hostname returned in the SRV record
before sending requests to it. This left clients open to a DNS
hijack attack, whereby an attacker could return a SRV of their
choosing and get the client to use it.